Enterprise GIS: Security Strategy

Michael E. Young

Chief Product Security Officer

Matt Lorrain

Security Architect

Agenda

• Introduction

• Trends

• Strategy

• Mechanisms

• Server

• Mobile

• Cloud

• Compliance

IntroductionWhat is a secure GIS?

IntroductionWhat is “The” Answer?

Risk

Vulnerabilit

y

Thre

atImpact

IntroductionWhere are the vulnerabilities?

Core network component vulnerabilities were exposed last year, but application risks are still king

*SANS Relative Vulnerabilities

Michael Young

Current Real World Scenarios & Trends

TrendsWeb Application Attacks

*Verizon 2015 DBIR

Trends

• Number of mobile devices infected still relatively small

• 96% targeted against Android platform

• Mobile malware short lived- Piggybacks popular apps

• Mobile SDK’s being attacked- Ensure apps built with latest

SDK’s

• What can help?- Enterprise Mobility Management

enables control and visibility

Mobile attacks

* Verizon 2015 DBIR

TrendsTrends by Industry

* Verizon 2015 DBIR

• Frequency of incidents by pattern and industry

• Identify hot spots for your specific industry- Prioritize security

initiatives to mitigate against common threats

Real-world security scenarios

• Scenario- Organization utilizes cloud based services for disseminating disaster communications

- Required easy updates from home and at work

- Drove allowing public access to modify service information

• Lesson learned- Enforce strong governance processes for web publication

- Don’t allow anonymous users to modify web service content

- Minimize or eliminate “temporary” modification rights of anonymous users

- If web services are exposed to the internet, just providing security at the application level does not prevent direct service access

Disaster communications modified

Lack of strong governance leads to unexpected consequences

Real-world security scenarios

• Scenario- Hackers used a third-party vendor’s user name and password to enter network

- Hackers managed to elevate rights and deploy malware on systems

- Result- 56 million credit and debit cards compromised

- 53 million email addresses disclosed

• Lessons learned- Credential management and high-level of trust of “internal” users

- Use an Identity Provider with SAML 2.0 for accessing cloud-based applications

- Enforce 2-factor authentication – At a minimum administrators should do this

Using same username and password between systems leads to compromise

Real-World Security Scenarios

• Hint – The Trust.ArcGIS.com site will always have this answer handy…

QUIZ – When was the last ArcGIS Security patch released?

99.9% of vulnerabilities are exploited more than a year after being released

TrendsStrategic Shifts in Security Priorities for 2015 and Beyond

• Identity management priority increasing as security focus moves from network to data level

• Advanced Persistent Threats driving shift from Protect to Detect

• Encryption of Internet traffic via SSL v3 broken – Ensuring TLS utilized is necessary

• Password protection is broken – Stronger mechanisms required such as 2-factor auth

• Customers balancing security gateways for mobile solutions vs. VPN

• Patching beyond Operating systems critical

• End-of-life OS builds with XP and now Server 2003 present significant risk

Michael Young

Strategy

StrategyA better answer

• Identify your security needs- Assess your environment

- Datasets, systems, users

- Data categorization and sensitivity

- Understand your industry attacker motivation

• Understand security options- Trust.arcgis.com

- Enterprise-wide security mechanisms

- Application specific options

• Implement security as a business enabler- Improve appropriate availability of information

- Safeguards to prevent attackers, not employees

StrategyEnterprise GIS Security Strategy

Security Risk Management Process Diagram - Microsoft

StrategyEvolution of Esri Products & Services

Product

EnterpriseSolution

Isolated Systems

3rd Party Security

Integrated Systems

Embedded Security

Software as a Service

Managed Security

StrategyEsri Products and Solutions

• Secure Products- Trusted geospatial services

- Individual to organizations

- 3rd party assessments

• Secure Platform Management- Backed by Certifications / Compliance

• Secure Enterprise Guidance- Trust.ArcGIS.com site

- Online Help

ArcGIS

StrategySecurity Principles

Con

fiden

tialit

yAvailability

IntegrityCIA Security

Triad

StrategyDefense in Depth

• More layers does NOT guarantee more security

• Understand how layers/technologies integrate

• Simplify

• Balance People, Technology, and Operations

• Holistic approach to security TechnicalControls

PolicyControls

Physical Controls

Data and

Assets

Esri UC 2014 | Technical Workshop |

Mechanisms

Mechanisms

MechanismsUsers & Authentication

• User Store Options- Built-in user store

- Server, Portal, ArcGIS Online

- Enterprise user store- LDAP / Active Directory

• Authentication Options- Built-in Token Service

- Server, Portal, ArcGIS online

- Web-tier (IIS/Apache) w/ Web Adaptor- Windows Integrated Auth, PKI, Digest…

- Identity Provider (IdP) / Enterprise Logins- SAML 2.0 for ArcGIS Online & Portal

• ArcGIS Server patterns- Server-tier Auth w/ Built-in users

- Server-tier Auth w/ Enterprise Users

- Web-tier Auth w/ Enterprise Users

• Portal for ArcGIS patterns- Portal-tier Auth w/ Built-in users

- Portal-tier Auth w/ Enterprise users

- Web-tier Auth w/ Enterprise users

- SAML 2.0 Auth w/ Enterprise Users

• ArcGIS Online patterns- ArcGIS Online Auth w/ Built-in users

- SAML 2.0 Auth w/ Enterprise users

MechanismsAuthorization – Role-Based Access Control

• Out-of-box roles (level of permission)- Administrators

- Publishers

- Users

- Custom – Only for Portal for ArcGIS & ArcGIS Online

• ArcGIS for Server – Web service authorization set by pub/admin- Assign access with ArcGIS Manager

- Service Level Authorization across web interfaces

- Services grouped in folders utilizing inheritance

• Portal for ArcGIS – Item authorization set by item owner- Web Map – Layers secured independently

- Packages & Data – Allow downloading

- Application – Allows opening app

MechanismsAuthorization – Extending with 3rd Party components

• Web services- Conterra’s Security Manager (more granular)

- Layer and attribute level security

• RDBMS- Row Level or Feature Class Level

- Versioning with Row Level degrades performance- Alternative – SDE Views

• URL Based- Web Server filtering

- Security application gateways and intercepts

MechanismsFilters – 3rd Party Options

• Firewalls- Host-based

- Network-based

• Reverse Proxy

• Web Application Firewall- Open Source option ModSecurity

• Anti-Virus Software

• Intrusion Detection / Prevention Systems

• Limit applications able to access geodatabase

MechanismsFilters - Web Application Firewall (WAF)

• Implemented in DMZ

• Protection from web-based attacks

• Monitors all incoming traffic at the application layer

• Protection for public facing applications

• Can be part of a security gateway- SSL Certificates

- Load Balancer

Internet

Security GatewayWAF, SSL Accel, LB

Web servers

Internal Infrastructure

ArcGIS servers

443

DMZ

MechanismsEncryption – 3rd Party Options

• Network- IPSec (VPN, Internal Systems)

- SSL/TLS (Internal and External System)

- Cloud Encryption Gateways

- Only encrypted datasets sent to cloud

• File Based- Operating System – BitLocker

- GeoSpatially enabled PDF’s combined with Certificates

- Hardware (Disk)

• RDBMS- Transparent Data Encryption

- Low Cost Portable Solution - SQL Express w/TDE

MechanismsLogging/Auditing

• Esri COTS- Geodatabase history

- May be utilized for tracking changes- ArcGIS Workflow Manager

- Track Feature based activities- ArcGIS Server 10+ Logging

- “User” tag tracks user requests

• 3rd Party- Web Server, RDBMS, OS, Firewall- Consolidate with a SIEM

• Geospatial service monitors- Esri – System Monitor- Vestra – GeoSystems Monitor- Geocortex Optimizer

MechanismsGIS monitoring with System Monitor

• Proactive

• Integrated- Dashboards across all tiers

• End-to-End- All tier monitoring

• Continuous- %Coverage provided

• Extendable- Custom queries

Esri UC 2014 | Technical Workshop |

ArcGIS ServerMatt Lorrain

ArcGIS Server10.3 Enhancements

• ArcGIS Server Manager - New dashboard for administrators

• Portal for ArcGIS extension is included with ArcGIS for Server Standard and Advanced licenses- Support for SAML 2.0 authentication

- Management of group membership based on an enterprise identity store

- Custom roles to better control privileges of users

- Activity Dashboard to understand metrics for your portal

- More streamlined approach to configuring a high-availability portal configuration

- As of 10.3.1- Query and view portal logs using Portal Directory for identifying errors, issues or troubleshooting.

ArcGIS ServerSingle ArcGIS Server machine

Front-ending GIS Server with ReverseProxy or Web Adapter

Site AdministratorsConnect to Manager

GIS server, Data, Server directories, Configuration Store

Desktop, Web, and Mobile Clients

6080/6443

Site AdministratorsConnect to Manager

GIS server, Data, Server directories, Configuration Store

Desktop, Web, and Mobile Clients

6080/6443

80/443 Reverse Proxy Server

ArcGIS ServerArcGIS Server HA - Sites independent of each other

Site AdministratorsConnect to Manager

80

6080 6080

80

Server directories, Configuration Store

(duplicated between sites)

Site AdministratorsConnect to Manager

ArcGIS Server site ArcGIS Server site

Web Adaptors(optional)

Network Load Balancer (NLB)

Desktop, Web, and Mobile Clients

• Active-active configuration is shown- Active-passive is also an option

• Separate configuration stores and management- Scripts can be used to synchronize

• Cached map service for better performance

• Load balancer to distribute load

ArcGIS ServerArcGIS Server HA – Shared configuration store

80

6080 6080

80

Site AdministratorsConnect to Manager

Web Adaptors

Network Load Balancer (NLB)

Desktop, Web, and Mobile Clients

GIS servers

Data server, Data (enterprise geodatabase), Server directories, Configuration Store

•Shared configuration store

•Web Adaptor will correct if server fails

•Config change could affect whole site- Example: publishing a service

•Test configuration changes

ArcGIS ServerArcGIS Server HA – Clusters of Dedicated Services

80

6080 6080

80

Site AdministratorsConnect to Manager

Web Adaptors(optional)

Network Load Balancer (NLB)

Desktop, Web, and Mobile Clients

6080

Cluster A

Data server, Data (enterprise geodatabase), Server directories, Configuration Store

GIS servers

Cluster B

•Shared configuration store

•Server clusters- Perform same set of functions

•Example- Cluster A handles geoprocessing

services

- Cluster B handles less intensive services

Public IaaS

Enterprise deploymentReal Permutations

DatabaseFile

Geodatabase

FilteredContent

FieldWorker

EnterpriseBusiness

InternalPortal

InternalAGS

ExternalAGS

Business Partner 1

Business Partner 2

Public

ArcGIS Online

Private IaaS

DMZ

WAF, SSL AccelLoad Balancer

ArcGIS Site

HA NAS

Config Store

Directories

ArcGIS for Server

FGDB

Web Adaptor Round-Robin

ArcGIS for Server

GIS Services

GIS ServicesServer Request

Load Balancing

Port: 6080Port: 6080

GIS Server A GIS Server B

443

Clustered

HA DB1 HA DB2

Supporting Infrastructure

AD/ LDAP

IIS/Java Web Server

Port: 443

Auth Web Server

SQL

ADFS / SAML 2.0

ADFS Proxy

IIS/Java Web Server

Web Apps

WebAdaptor

Web Apps

IIS/Java Web Server

Network Load Balancing

Port: 80

WebAdaptor

Port: 80

Web Server A Web Server B

WebAdaptor

Web Apps

IIS/Java Web Server

Port: 80

Public Web Server

ArcGIS for ServerGIS

Services

Port: 6080

GIS Server B

Internet

ArcGIS ServerEnterprise Deployment

ArcGIS ServerImplementation Guidance

• Don’t expose Server Manager or Admin interfaces to public

• Disable Services Directory

• Disable Service Query Operation (as feasible)

• Limit utilization of commercial databases under website- File GeoDatabase can be a useful intermediary

• Require authentication to services

• Deploy ArcGIS Server(s) to DMZ if external users require access- One-way replication from enterprise database

• Restrict cross-domain requests- Implement a whitelist of trusted domains for

communications

Attack surface over time

Att

ack

surf

ace

Time

Esri UC 2014 | Technical Workshop |

MobileMatt Lorrain

MobileWhat are the mobile concerns?

*OWASP Top Ten Mobile: https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks

MobileSecurity Touch Points

Communication

Device access

Storage

Project access

Data access

Server authentication

SDE permissions

Service authorization

MobileChallenges

• Users are beyond corporate firewall- To VPN or not to VPN?

• Authentication/Authorization challenges

• Disconnected editing

• Management of mobile devices- Enterprise Mobility Management is the answer!

- Mobile Device Management

- Mobile Application Management

- Security Gateways

- Examples: MobileIron, MaaS360, Airwatch, and many more…

MobilePotential Access Patterns

DMZ

Web AdaptorIIS

NASShared config storeSQL Server

Portal

ArcGIS Server

Enterprise AD

AD FS 2.0

ArcGIS Desktop

VPN

Security Gateway

External facing GIS

ArcGIS

MobileImplementation Guidance

• Encrypt data-in-transit (HTTPS) via TLS

• Encrypt data-at-rest

• Segmentation- Use ArcGIS Online, Cloud, or DMZ systems to disseminate public-level data

• Perform Authentication/Authorization

• Use an Enterprise Mobility Management (EMM) solution- Secure e-mail

- Enforce encryption

- App distribution

- Remote wipe

- Control 3rd party apps & jailbreak detection

Esri UC 2014 | Technical Workshop |

CloudMatt Lorrain

CloudService Models

• Non-Cloud- Traditional systems infrastructure deployment- Portal for ArcGIS & ArcGIS Server

• IaaS- Portal for ArcGIS & ArcGIS Server- Some Citrix / Desktop

• SaaS- ArcGIS Online- Business Analyst Online

Dec

reas

ing

Cu

sto

mer

Res

po

nsi

bil

ity

Dec

reas

ing

Cu

sto

mer

Res

po

nsi

bil

ity

Customer ResponsibleEnd to End

Customer ResponsibleFor Application Settings

CloudDeployment Models

Cloud On-premise

IntranetIntranetIntranetIntranet

PortalPortalServerServer

On- Premises

IntranetIntranetIntranetIntranet

PortalPortalServerServer

Read-only

Basemaps

On-Premises +

IntranetIntranetIntranetIntranet

ServerServer

OnlineOnline

Hybrid 1Public

IntranetIntranetIntranetIntranet

OnlineOnline

IntranetIntranetIntranetIntranet

OnlineOnline ServerServerServerServerServerServer

Hybrid 2

CloudManagement Models

• Self-Managed- Your responsibility for managing IaaS deployment

security- Security measures discussed later

• Provider Managed- Esri Managed Services (Standard Offering)- New Esri Managed Cloud Services (EMCS) Advanced Plus

- FedRAMP Moderate environment

CloudIaaS – Amazon Web Services

• 8 Security Areas to Address- Virtual Private Cloud (VPC)

- Identity & Access Management (IAM)

- Administrator gateway instance(s) (Bastion)

- Reduce attack surface (Hardening)

- Security Information Event Management (SIEM)

- Patch management (SCCM)

- Centralized authentication/authorization

- Web application firewall (WAF)

CloudEMCS Advanced Plus Offering

ArcGIS Online front-end (Low)Managed Services back-end (Mod)

Centralized Authentication (2-factor)

Key Management

Network Address Translation

Virtual Private Cloud (Segmentation)

Redundancy (multiple data centers)

IDS/SIEM/WAF

Logging

Customer Databases

Customer Instances

ArcGIS for Server

Portal for ArcGIS

Security Infrastructure

ArcGIS Online

End Users

Esri Cloud GIS Administrator

CloudHybrid deployment combinations

On-Premises

Users

AppsAnonymous

Access

Esri Managed Cloud Services

• Ready in days

• All ArcGIS capabilities at your disposal in the cloud

• Dedicated services

• FedRAMP Moderate

• Ready in months/years• Behind your firewall• You manage & certify

• Ready in minutes• Centralized geo discovery• Segment anonymous

access from your systems• FISMA Low

ArcGIS Online

. . . All models can be combined or separate

ArcGIS Online

CloudHybrid

AGOLOrg

Group“TeamGreen”

Group“TeamGreen”

Hosted Services,Content

Public DatasetStorage

On-PremisesArcGIS Server

User RepositoryAD / LDAP

2. Enterprise Login(SAML 2.0)

1. Register Services

Users

3. Request to View 4. Access Service

ArcGIS OrgAccounts

External Accounts

Segment sensitive data internally and public data in cloud

CloudHybrid – Data sources

• Where are internal and cloud datasets combined?- At the browser - The browser makes separate requests for information to multiple

sources and does a “mash-up”- Token security with SSL or even a VPN connection could be used

between the device browser and on-premises system

On-Premises Operational Layer Service

Cloud Basemap ServiceArcGIS Online

Browser Combines Layers

http://services.arcgisonline.com...https://YourServer.com/arcgis/rest...

CloudArcGIS Online – Implementation Guidance

• Require HTTPS

• Do not allow anonymous access

• Allow only standard SQL queries

• Restrict members for sharing outside of organization (as feasible)

• Use enterprise logins with SAML 2.0 with existing Identity Provider (IdP)- If unable, use a strong password policy (configurable) in ArcGIS Online- Enable multi-factor authentication for users

• Use multifactor for admin accounts

• Use a least-privilege model for roles and permissions- Custom roles

Esri UC 2014 | Technical Workshop |

Compliance

ComplianceArcGIS Platform Security

• Esri Corporate

• Cloud Infrastructure Providers

• Products and Services

• Solution Guidance

ComplianceExtensive security compliance history

Esri has actively participated in hosting and advancing secure compliant solutions for over a decade

2010 2011 2012 2013 2014

FedRAMP Announced

ArcGIS Online FISMA Authorization

OMB FedRAMP Mandate

First FedRAMP Authorization

2012 2013 2014 2015 2016

EMCS FedRAMP Compliant

Esri Hosts FederalCloud Computing Security Workshop

PlannedArcGIS OnlineFedRAMPAuthorization

Esri Participates in First Cloud Computing Forum

2002…

2005…

FISMA Law Established

Esri GOS2 FISMAAuthorization

Compliance

• ISO 27001- Esri’s Corporate Security Charter

• Privacy Assurance- US EU/Swiss SafeHarbor self-certified

- TRUSTed cloud certified

Esri Corporate

Compliance

• ArcGIS Online Utilizes World-Class Cloud Infrastructure Providers- Microsoft Azure

- Amazon Web Services

Cloud Infrastructure Security Compliance

Cloud Infrastructure Providers

ComplianceProducts and Services

• ArcGIS Online- FISMA Low Authority to Operate by USDA (Jun 2014)

- FedRAMP - Upcoming

• Esri Managed Cloud Services (EMCS)- FedRAMP Moderate (Jan 2015)

• ArcGIS Server- DISA STIG – (Expected 2015)

• ArcGIS Desktop- FDCC (versions 9.3-10)

- USGCB (versions 10.1+)

- ArcGIS Pro (Expected 2015)

ComplianceSolution Level

• Geospatial Deployment Patterns to meet stringent security standards- Hybrid deployments

- On-premise deployments

• Supplemented with 3rd party security components- Enterprise Identity management integration - CA SiteMinder (Complete)

- Geospatial security constraints – ConTerra (Started)

- Mobile security gateway integration – (Upcoming)

• Upcoming best practice security compliance alignment guidance- CJIS – Law Enforcement (Started)

- STIGs – Defense (Started)

- HIPAA – Healthcare (Future)

ComplianceArcGIS Online Assurance Layers

Web Server & DB software

Operating system

Instance Security

Management

Hypervisor

ArcGISManagement

Cloud Providers

Physical

Web App Consumption

Customer

Esri

Cloud ProviderISO 27001 SSAE16FedRAMP Mod

AGOL SaaSFISMA Low(USDA)SafeHarbor(TRUSTe)

ComplianceDeployment Model Responsibility

ComplianceCloud Roadmap

ArcGIS OnlineFISMA

Low

Managed Services (EMCS)

FedRAMPMod

ArcGIS OnlineFedRAMP

2014

2015Upcoming

Esri UC 2014 | Technical Workshop |

Summary

Summary

• Security demands are rapidly evolving- Prioritize efforts accord to your industry and needs- Don’t just add components, simplified Defense In Depth approach

• Secure Best Practice Guidance is Available- Check out the ArcGIS Trust Site!- Security Architecture Workshop

- SecureSoftwareServices@esri.com

• Please fill out the session survey in your mobile app

• In the agenda, click on the title of this session- Enterprise GIS: Security Strategy

• Click “Technical Workshop Survey”

• Answer a few short questions and enter any comments

Thank you…

Want to Learn More?

• ArcGIS Online: A Security, Privacy, and Compliance Overview- Wed 10:15am Room 17B

• ArcGIS Server & Portal for ArcGIS: An Introduction to Security- Tues 3:15pm Room 4, Thurs 1:30pm Room 4

• ArcGIS Server: Advanced Security- Wed 3:!5pm Room 3, Thurs Room 4

• Best Practices in Setting up Secured Services in ArcGIS for Server- Tues 5:30pm Demo Theater 14

• Building Security into your System- Tues 4:30pm Implementation Center

• Oauth 2 and Authentication in ArcGIS Online Demystified- Tues 2:30pm Demo Theater 11

• Using Enterprise Logins for Portal in ArcGIS via SAML- Tues 5:30pm, Wed 2:30pm Demo Theater 7

Esri Security Standards & Architecture TeamSecureSoftwareServices@Esri.com